Editor: Welcome back, Matt. Tell us what’s new in the bring-your-own-device (BYOD) and mobile workplace arenas.
Brown: People want to use technology at work the same way they use it at home, and this trend is continuing with end users driving IT strategies toward that goal. For example, employees want to use an iPad for personal and business purposes regardless of where they are physically located. Traditionally, the use of mobile devices within an organization was standardized on one particular device – the Blackberry – but today’s user wants the option to use an Android or Apple device as well. As a result, IT faces the challenge of having to support a wide range of personal devices, while retaining visibility of their data and user activity. IT also has to ensure security around each of those devices.
Technology is now in the hands of everyday people, which means that they have identified apps that work best for them. Corporate devices may be physically locked down and offer only IT-sanctioned apps, but today’s mobile users want to use their own technology. This is a new dynamic, and it creates challenges for IT, particularly around maintaining proper controls.
Editor: What is your advice for businesses interested in developing a BYOD strategy?
Brown: I have a few suggestions. At the heart of any BYOD strategy is the ability for users to select their own technology; however, offering such choice in the enterprise context creates a greater need for control than in the personal-use context. So, my first suggestion is that IT should adopt a standardized roster of acceptable devices for the organization, such as specific products offered by Apple, Android or BlackBerry. In doing so, IT can establish control over a discrete set of devices without having to cover the waterfront of options.
Certainly, IT should avoid any device that is “jailbroken,” meaning that it has been modified to remove the controls set by the original manufacturer and therefore cannot be reliably controlled. Jailbroken devices can potentially introduce viruses or even malware, so I advise that IT additionally ensure that individual devices are checked to root out this potential issue.
My next suggestion is to establish security and control over the device, such as by enforcing a password or pin code policy and by implementing some level of encryption, as required.
Now, a key concern in the BYOD scenario is controlling which apps are installed by end users. In our experience, it’s a very good idea for organizations to set up an enterprise app store where users can select and download from a specific list of IT-approved apps. We strongly advise against allowing users to freely download apps from the Apple Store, and we also suggest restricting user access to certain websites, such as Facebook, in order to curtail unauthorized downloads.
These measures are important for a few reasons. First, unauthorized apps, particularly for personal use, can increase bandwidth volumes and costs. Limiting access to apps for personal use can go a long way to reducing unnecessary and non-business-related bandwidth volumes and mobile network costs, particularly when users are travelling with data roaming enabled.
Second, these controls can eliminate wasted time that users spend on unapproved, unproductive apps. Finally, and perhaps most importantly, by restricting downloading activity, you can decrease the risk of data leakage outside of the organization through consumer-grade apps.
Editor: Assuming a baseline level of cooperation, how far should a company go to regulate employee use of personal devices?
Brown: A big piece of this analysis involves the need to be pragmatic. Regulation of device usage can be enforced through company policies, just as long-standing policies have been successfully applied to email usage. If you ensure that employees understand what defines the acceptable use of personal devices, then you have the basis to enforce those policies. We also suggest looking at available technologies that are designed to control mobile devices, such as MDM (Mobile Data Management). In Workshare’s case, we have focused a lot of attention on securing our app as installed on these various devices and partnering with MDM providers.
Editor: So the idea is that Workshare’s app becomes one of those IT-approved apps that doesn’t conflict with enterprise policies.
Brown: That’s right.
Editor: Who should be involved in the process of adopting a BYOD strategy?
Brown: Obviously, IT, compliance, and data security people need to be involved. It is also very important to include end users, who, for the purpose of this discussion, we’ll identify as lawyers and, to a certain extent, their clients. Because the device and any installed apps will be a means of interaction, efforts should be made to ensure that clients are comfortable sharing information by using an app on a device rather than via email. And just to clarify, use of Workshare’s app by one party does not require adoption of our technology by all parties. Our app also can be used in conjunction with traditional email.
Accordingly, a critical point for the successful adoption of a BYOD strategy involves closely examining the needs of end users. It’s a good idea to survey users and find out what their preferred devices are, what types of apps they prefer, how they will interact with people outside the organization, and how comfortable those external people are with storing and sharing information in the BYOD environment.
Editor: What are the security risks with BYOD?
Brown: One of the most important security risks arises when a device is stolen or lost. The classic case is leaving a phone in the back of a taxi. If the device is not protected, it can reveal all of its stored data, which could be very damaging. It’s also important to make sure that employees who leave the organization aren’t able to take corporate data with them.
To overcome these risks, you need strong security controls on the device. This can be accomplished, for instance, by establishing a passcode policy or by using apps that require a password. It’s also important to have the ability to wipe the data from the device at any point, particularly if it is lost, and to be able to track the location of the device and determine whether it is enabled. If so, it should be disconnected from the corporate network.
Editor: Are IT departments tapping into the native GPS capabilities on many of today’s mobile devices?
Brown: Yes, and they also can use mobile device management tools whose sole purpose is to enable the tracking of individual devices through technology that’s already on the phone. Workshare’s app supports many of those tools for enforcing security, but it’s important to note that, additionally, data security capabilities are built into the Workshare application to secure data that resides within the app itself.
Editor: What are the security risks with personal file-sharing tools?
Brown: There is a myriad of personal productivity tools available for mobile devices, many of which have file-sharing capabilities, such as Dropbox. When using these tools, you should be very careful to know where your data is stored and, for example, how jurisdictional and associated data privacy factors come into play if you are located in Europe versus in the U.S.
On top of compliance risks are data security risks, which imply the need to ensure that data is fully encrypted and safe from unauthorized access. Many file-sharing tools are cloud based; they can be accessed from anywhere, not just stored on the device; thus, cloud services must be thoroughly vetted for security protocols. And the same rigorous standards should be applied to an app when data is stored on the device itself.
Because these are such popular tools, it’s up to IT to survey the market and find the most approved, usable, and productive tool so that users don’t feel the need to download their own personal file-sharing tools.
Editor: What are some of the key differences between Workshare’s enterprise solution and consumer-based file-sharing apps?
Brown: One critical difference is that Workshare offers the ability to control your data by choosing where it is stored, which is a desirable feature for many of our clients and which is particularly important to international organizations and law firms. Our app allows you to manage data, to manually delete it at any time, and to set policies for automatic deletion after a period of time. Consumer-grade tools largely don’t offer that level of control – nor do they provide end-to-end encryption when sharing files, both on the device itself and also when sharing with someone outside your network.
Further, enterprise tools must be managed around the end user, and it’s important that IT provide the capability to understand who is using the app and to delete or add users as employees come and go. This level of management is a critical capability in the enterprise context, and consumer apps are not designed for these purposes.
Editor: What are the critical considerations when selecting a file-sharing app?
Brown: Legal departments and law firms are good examples, and the capabilities we’ve been discussing apply to them equally, though sometimes in different ways. Law firms deal with sensitive client data and need a tool or a BYOD policy with very strong data protection capabilities/protocols. The same is true for corporate legal departments, particularly in regulated industries that are managing complex compliance schemes. Both organizations require extensive visibility around the devices and data being used, and they all need tools for data-related policy reporting and monitoring.
These enterprises also have internal systems that are integral to their daily work, such as email and document or practice management systems, so it’s important that their technology solutions fit within that ecosystem and their workflows without disrupting the way people work.
Workshare’s strategic advisory board, which is comprised of corporate and law firm customers from around the globe, reports that productivity is a key concern. They want their end users, i.e., their lawyers, to have the right tools and, specifically, technology solutions that integrate well with Outlook, the desktop choice of most. Time is always a critical consideration, and getting the job done shouldn’t require five clicks or swipes, but just one.
Editor: As an example of specific capabilities, tell us how Workshare’s Deltaview technology ties in with these productivity and user-satisfaction goals.
Brown: Our technology focuses on ensuring productivity, reducing organizational risk, and creating a delightful user experience. Deltaview is our original comparison technology, which we’ve now incorporated into all of Workshare’s cloud collaboration and file-sharing solutions. Now, Workshare’s comparison technology offers the ability to understand and track changes that people have made throughout the document collaboration process. And we’ve embedded policy and security functions into all of our apps to ensure that data is properly encrypted, that no data is mistakenly revealed, and that no hidden information, such as track changes, is inadvertently left behind. At Workshare, we focus on striking the right balance between productivity and security.
Published August 22, 2013.
